Emotet Botnet Shows Signs of Revival

After two months of inactivity, the notorious Emotet botnet is poised to start delivering malicious code again; active command-and-control servers have been spotted in the wild, researchers at the security firm Cofense warn.

The servers were first spotted on Aug. 21, Cofense researchers explained a series of tweets posted late last week. After a burst of activity in May, the botnet stayed dormant over much of June and July, they noted.

The last known case of a large-scale Emotet attack was reported in India in May, when a group of 8,000 botnet intrusions targeted a number of businesses, Livemint reports.

On Thursday, however, Cofense researchers began announcing that they spotted active command-and-control servers connected to Emotet. So far, however, it does not appear that the botnet has been used to deliver malicious codes or other campaigns, researchers say.

The Emotet botnet arose from the grave yesterday and began serving up new binaries. We noticed that the C2 servers began delivering responses to POST requests around 3PM EST on Aug 21. Stay vigilant and keep an eye out for any updates as we monitor for any changes.

Dangerous Emotet

Originally designed as a banking Trojan, Emotet has evolved over the years into malicious code capable of delivering a large-scale botnet capable of targeting a number of systems and considered to be one of the deadliest malware families operating in the wild, security experts say.

Researchers have noted that the regular upgrades by Emotet's developers have given the malware additional capabilities, such as credential stealing, security evading and the ability to respond to the command-and-control servers of an infected device (see: 5 Malware Trends: Emotet Is Hot, Cryptominers Decline).

Tonia Dudley, a security solutions advisor at Cofense, notes that Emotet is particularly good at leveraging the data of older victims in order to create new attacks.

"They actively gather the victims contact lists as well as older emails and will specifically target those contacts," Dudley tells Information Security Media Group. "This leads to what appears to be spear-phishing on one of the largest scales ever seen. It is well known that victims will also receive further malware that may lead to ransomware as well. The botnets victims include home users all the way up to government organizations."

An earlier study by Sophos categorizes the Trojan as worse than WannaCry and states that Emotet's frequent updates make the containment of the various malicious strains difficult. Sophos found as many as 750 varieties of Emotet malware by the end of January.

Some of the more well-known variants of Emotet are TrickBot - another banking Trojan that has found multiple uses - and the Ryuk ransomware, which researchers believe uses Emotet's network propagation capabilities to leverage larger attacks.

For instance, in March, officials in Jackson County, Georgia, paid out $400,000 to attackers after a ransomware attack crippled IT systems for about two weeks. Local news media reported the county government had been hit with Ryuk (see: Georgia County Pays $400,000 to Ransomware Attackers).

State of Dormancy

This isn't the first time this malware strain has re-emerged after a period of inactivity.

"So far in 2019, I've seen Emotet retrieve Gootkit and the IcedID banking Trojan. As 2019 progresses, I expect to find examples of Emotet distributing other families of malware like Qakbot and Trickbot, something we saw in 2018," Duncan said at the time.

Cofense's Dudley adds that it's not usual for the attackers to go quiet for a time and then come back with stronger Emotet attacks.

"They have gone on breaks in the past, however this does not normally include a complete shutdown of their [command-and-control] infrastructure," Dudley says. "Emotet has always worked as a large scale attack comprised of multiple smaller campaigns during the workweek. While we expect them to maintain their standard operating procedures of distribution via malspam, we are actively monitoring for changes that they may have made over this last hiatus."

Other Warnings

In addition to Cofense, other researchers and security firms have started posting their own new warnings about a possible resurgence of Emotet and are warning security professionals to remain vigilant.

For instance, Black Lotus Labs, which is the research and threat division of CenturyLink, released via GitHub a list of servers and IP addresses that appear connected to the botnet, according to Bleeping Computer.

In a tweet, MalwareTech, a site run by security researcher Marcus Hutchins, confirmed that while there is some new activity related to Emotet, no new malicious code or campaigns have been reported.

"No new bot binaries so far, but the C2s are responding for the first time in months," Hutchins tweets.

No new bot binaries so far, but the C2s are responding for the first time in months.

About the Author

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked at Analytics India Magazine, The New Indian Express and IDG, where she reported on developments in technology and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.